This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27 November, 2017 (“White Paper”).
While all responses to the White Paper are currently unavailable, responses of twenty-six (26) stakeholders are available on Dvara Research’s blog, here.
In July 2017, the Ministry of Electronics and Information Technology (MEITY) had constituted a Committee of Experts, chaired by Justice B.N. Srikrishna (“the Srikrishna Committee”) to frame recommendations for a data protection framework for India. In January, 2018, the Srikrishna Committee concluded a nation-wide stakeholders’ consultation on key issues of data protection. This consultation was based on two hundred and thirty (230) questions that it had raised in the White Paper. Final recommendations of the Srikrishna Committee are awaited.
Among many other issues raised, the Srikrishna Committee had flagged the protection of cross-border data flows as an important issue in Chapter 8 of Part II of the White Paper. As we have stated earlier, while all stakeholder submissions to the Srikrishna Committee have not been made public, Dvara Research has published a list of twenty-six (26) publicly available comments. This note maps responses of these stakeholders on cross-border data flows.
The White Paper raises the following four questions on cross border data flows:
First, “What are your views on cross-border transfer of data?”;
Second, “Should the data protection law have specific provisions facilitating cross border transfer of data? If yes, what should the adequacy standard be the threshold test for transfer of data?”,
Third, “Should certain types of sensitive personal information be prohibited from being transferred outside India even if it fulfils the test for transfer?” and,
Fourth, “Are there any other views on cross-border data transfer which have not been considered?”
The following table projects the stances of the stakeholders on each of these issues.
|Stakeholders||Cross-border transfer of data
|Whether law needs specific provisions facilitating cross-border transfer||Adequacy standard as threshold test for transfer of data
|Prohibition on transfer of sensitive personal information, even if it fulfils the test for transfer||Other views on cross-border data transfer|
|Industry Associations –3*
BSA, iSPIRT, and ITI
|BSA||Acknowledge that proper mechanisms for cross-border data flows are essential for cyber-security.||Law should explicitly recognize ability to transfer personal data outside India.
|Adequacy standard unlikely to add significantly to data protection; could hinder innovation and growth in India’s digital economy.||Against bans on transfer of certain categories of data, including those based on the sensitivity of data.
|No clear response.|
|iSPIRT||Data protection authority should be able to proactively regulate cross-border transfers.||A flexible adequacy framework should be developed.||No clear response.
|For sensitive data transfer, user consent should be the overriding factor.
|No clear response.|
|ITI||Restrictions on cross-border data transfer create challenges for compliance and enforcement and distort global marketplace.||No clear response.||Adequacy model not recommended for India.||No clear response.||Model contractual clauses are low-burden way for organizations to comply with obligations to protect personal data during cross-border transfers.|
|Civil society organisations – 9**
Access Now; CCG; CIS; Centre for Trade and Investment Law; Harvard FXB Center;
ORF; Professor Graham Greenleaf; SFLC; and Takshashila Institution.
|Access Now||Acknowledges that proper mechanisms for cross border flow of data are essential.
|An online portal with more information and a policy document on proposals to reform MLAT (Mutual Legal Assistance Treaty) system sent to the Committee.
|Pointed out that Article 45, GDPR (General Data Protection Regulation) does not itself provide for an adequacy test, only indicates adequacy as a mechanism for transfer.||No clear response.||No clear response.|
|CCG||India should avoid articulations of uncertain scope in claims for extra-territorial jurisdiction.
|Requirements such as mandatory data localization should be avoided in such restrictive practices.
|No clear response.
|No clear response.||No clear response.|
|CIS||Recommends minimal restrictions with respect to cross-boundary transfer of data in India.
|Law should promote cross-boundary transfer by provisions that clarify issues relating to jurisdiction and liability that arises from such transfer.
|Adequacy standard can be expensive, time-consuming and restrictive process and is not helpful to determine where data can flow freely.
|Should be left on the individual to determine whether his sensitive personal data can be transferred for specific purpose.
|Important to clarify how new provision relating to cross-border transfer of data will affect existing legal obligations under MLATs.
|Centre for Trade and Investment Law||GATS will have implications on restrictions on cross-border data flow.||No clear response.||No clear response.
|No clear response.||Any contravention of the mutual responsibilities assigned, on India’s part as a WTO member can be met with opposition by any member state of the WTO.
|Harvard FXB Centre||Cross-border transfer of data is necessary for health data.
|Adoption of adequacy test should be considered.
|Periodic review of adequacy or limits of exemptions needed to ensure that policy has the upper ground with respect to the changing technology and cultural acceptance.
|Data localisation is not necessarily safer alternative with regard to protection of sensitive data.
|No clear response.|
|ORF|| Data protection law must facilitate cross border sharing of data.
|India should not adopt an adequacy standard since data protection rules will take years to mature.||No clear response.||No clear response.||New data protection regime must recognise the need for prioritising the ability of Indian firms to build services based on Indian data.
|Professor Graham Greenleaf||Where it is proposed that delegated processing will take place outside India, all applicable rules concerning cross-border transfers must apply, as if the data was being transferred to a third party.
|Adequacy standard may be included.||India’s DPA should have the ability to determine which countries meet adequacy
criteria under Indian law. However, decision
should be subject to objective tests which can be tested in the courts, as is the case in EU.
|No clear response.||No clear response.|
|SFLC||The law should leave no room for ambiguity regarding situations in which data transfer is or is not allowed to another country.
|Data Protection Authority can ban data transfers to known bad actors by creating two blacklists:
1. Countries that violate data safety principles.
2. Data controllers known to violate privacy obligations.
|While performing an adequacy test, Data Protection Authority should consider the following, in addition to requirements under Article 45, GDPR:
· Safe storage practices;
· Access to data by judicial process;
· Existence of mass surveillance programs;
· Applicability of the principle of accountability.
|There should be no restrictions on cross-border transfer of sensitive personal data if it fulfils the test for transfer.
|No clear response.|
|Takshashila Institution||There should be strict rules that limit cross-border transfers.
|Organisational accountability can be achieved through use of codes of conduct, internal policies, procedures regarding handling of personal information, or contractual arrangements.
|Making adequacy test the threshold test for transfer of data may hinder free movement of data as Data Protection Authority may not have decided about level of data protection in all countries to which data might need to be transferred.
|Depending on the nature of the information, certain sensitive information may be required to be stored within the country.
|As an alternative, data protection framework may mandate the use of contractual provisions to ensure appropriate protection.
*Industry Associations: ITI – Information Technology Industry Council, BSA – Business Software Alliance, iSPIRT – Indian Software Product Industry Round Table.
**Civil Society Organisations: Access Now; CCG- Centre for Communication Governance, NLU Delhi; CIS- The Centre for Internet and Society; Centre for Trade and Investment Law – Dr. James J. Nedumpara and Mr. Sandeep Thomas Chandy, Centre for Trade and Investment Law, Ministry of Commerce; Harvard FXB Center – Harvard FXB Center for Health and Human Rights; ORF – Observer Research Foundation; Professor Graham Greenleaf; SLFC – Software Freedom Law Centre; and Takshashila Institution.
Adequacy as a threshold test for cross-border data transfers
The White Paper identifies the adequacy test, articulated under Article 45 of the EU GDPR, as a useful mechanism for protecting transfers of personal data across borders. Simply put, the adequacy test requires that personal data only be transferred to those countries that are declared by the data protection authority as having an ‘adequate’ level of data protection. The Srikrishna Committee’s call for views on an adequacy standard for cross-border data transfers has generated the following responses, broadly:
1. Adequacy standard should not be adopted by India (3 responses): BSA, ITI, ORF
1.1 BSA does not consider the adequacy standard to be a significant addition to India’s data protection law.
1.2 ITI and ORF have stated that the adequacy model is not recommended for India.
2. Adequacy standard may be adopted by India (4 responses): iSPIRT, Harvard FXB Center, SFLC and Professor Graham Greenleaf
2.1 As per iSPIRT, Harvard FXB Center and Professor Graham Greenleaf, India should consider adopting an adequacy standard.
2.2 SLFC has suggested considering the following factors while performing the adequacy test, over and above the requirements under Article 45 of the EU GDPR:
2.2.1 Safe storage practices;
2.2.2 Access to data by judicial process;
2.2.3 Existence of mass surveillance programs
2.2.4 Applicability of the principle of accountability.
3. No clear response (4 responses): CCG, Centre for Trade and Investment Law, CIS and Takshashila Institution
3.1 CCG and the Centre for Trade and Investment Law did not have a clear stance on the subject of an adequacy standard for India’s data protection framework.
3.2 CIS observed that the adequacy standard can be an expensive, time-consuming and restrictive process which does not help to determine where data can flow freely.
3.3 Takshashila Institution expressed concern over the effects of the adequacy test on the free movement of data.
Prohibition on transfer of sensitive personal information
Chapter IV (Part II) of the White Paper deals with the subject of sensitive personal information, which includes data relating to health, genetics, biometrics, religious beliefs and sexual orientation. Due to the intimate nature of this data and the serious privacy interest involved, the White Paper suggests prescribing heightened protections for sensitive data. In this context, the White Paper sought stakeholders’ opinions on prohibiting the transfer of sensitive personal information to another country, even if it fulfilled the test for cross-border transfers. The Srikrishna Committee’s call for views on the prohibition on transfers of sensitive personal data has generated the following responses, broadly:
1. In favour of prohibiting transfer of sensitive personal information (1 response): Takshashila Institution
1.1 Takshashila Institution is of the opinion that certain sensitive information may be required to be stored within the country, depending on the nature of the information.
2. Against ban on transfer of sensitive personal information (2 responses): BSA and SFLC
2. 1BSA is against bans on transfer of sensitive personal information
2.2 SFLC is of the view that there should be no restrictions on cross-border transfer of sensitive personal data if it fulfils the test for transfer.
3. User consent required for transfer of sensitive personal information (2 responses): iSPIRT and CIS
3.1 iSPIRT and CIS are of the opinion that it is the user’s prerogative to determine whether his or her sensitive personal data can be transferred.
4. No clear response (7 responses): Harvard FXB Center, ITI, Access Now, CCG, Centre for Trade and Investment Law, ORF and Professor Graham Greenleaf
4. 1 These stakeholders did not have a clear stance on the subject of prohibiting transfers of sensitive personal information.
[This post is authored by Shreya Mohapatra, TRA intern and Tuhina Joshi, Associate with inputs from Nehaa Chaudhari, Public Policy Lead].